This comment has been minimized.

Please don't mail security@golang.org, even if one might argue that many fuzz bugs are somehow security bugs. We don't want alert fatigue there. (Yes, one might argue if we fix all our fuzz issues there would be no alerts or fatigue)

But as Bryan said, GitHub would be best. If that's too hard we can create a separate mailing list just for this.

This comment has been minimized.

I agree GitHub issues would be best. I'd only make an exception for the crypto packages (crypto/... and golang.org/x/crypto/...), which should go to security@. I can think of multiple fuzzed security issues there over the years.

I'll join the google/oss-fuzz#2188 thread after reading how the integration works, as I'd be happy to maintain and expand the fuzzers for the crypto code in particular. Also, I know of another effort by @mmcloughlin which we should probably merge.